ActiveSync credential separation and disabled users
Onno Hensgen
onno.hensgen at aquaduna.com
Sat Feb 9 02:04:36 CET 2013
> Said IMAP frontend(s) - you would hit these specifically from the
> ActiveSync web-servers only - can use a different LDAP attribute (than
> userPassword) using a fast_bind(), or not use LDAP at all (and instead
> do sasldb2, or SQL, or ...). Frontends connect to IMAP backends using
> proxy authorization, and so no user credentials are required further
> down the line.
I'm having trouble adding an attribute to the 99kolab2.ldif schema in 'dirsrv/slapd-mail/schema'.
I added an attribute:
attributeTypes: ( 1.3.6.1.4.1.19414.99.50.1
NAME 'externalImapAllowed'
DESC 'User is allowed to use imap/smtp from outside the company'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
And i modified the kolabinetorgperson:
objectClasses: ( 1.3.6.1.4.1.19414.3.2.2
NAME 'kolabInetOrgPerson'
......
kolabAllowSMTPSender $
kolabDeleteflag $
externalImapAllowed ) )
When I now try to modify the new attribute, I get the following error:
modifying entry "uid=doe,ou=People,dc=aquaduna,dc=com"
ldap_modify: Object class violation (65)
additional info: attribute "alias" not allowed
I'm a bit confused why it complains about the 'alias' now. Without my modification, I can modify attributes... Is that the right place for my modifications?
> An alternative approach (I'm not a fan of) is to use proxy
> authorization right from the start - this would avoid the need to proxy
> the IMAP connection, as well as avoid the need to run a Cyrus IMAP
> Murder topology, but makes a compromise in that of course, for
> day-to-day individual user's operations the use of administrative
> credentials should be avoided.
I'm wondering if I understood your suggestion right, but I'm not sure if I got the 'proxy authentication part' right:
I realized a nginx mail proxy which authenticates the user against the ldap directory (using imap with ssl).
The proxy than forwards to the real imap server (plain, no ssl/tls, nginx seems to not support ssl/tls for the backend). So the user is authenticated with his own credentials again.
Does that setup implement what you said would be good practice (your first suggestion) or am I getting something wrong?
And I had to set allowplaintext to 'yes' in the imapd.conf to make nginx work. I won't open the 'real' cyrus-imap ports to the outside world, only the proxy, and proxy and mailserver are on the same machine. Are there any security concerns about that?
BTW: I'm documenting all my steps and if someone's interested, I would be glad to publish it.
Thanks for your hints,
Onno
More information about the users
mailing list